Pentagon has 70K cyber staff and a lot of overlap

pIn other news Hackers steal SonicWall firewall configs DeepSeek returns flawed code on purpose UK arrests two Scattered Spider membersppThis newsletter is brought to you by application allowlisting software maker Airlock Digital You can subscribe to an audio version of this newsletter as a podcast by searching for Risky Business in your podcatcher or subscribing via this RSS feedppThe US Department of Defense has more than 70000 individuals working on cybersecurity and cyberspace operations according to a report published this week that provided the first accurate number for such a task forceppThe figure includes 61000 military and civilian personnel and 9500 temporary contractors spread across 504 organizations They work for Cyber Command the Army Navy Marine Corps Air Force and Space ForceppThe report from the US Government Accountability Office was commissioned by Congress in 2023 after Russias invasion of Ukraine to help lawmakers identify all the Pentagons cyber capabilities and help review and optimize its operations in light of Russias invasion of Ukraine and after several hacks of US government networksppIts main finding is that many organizations and groups across the Pentagons branches provide overlapping services and that there is room for costcutting and reorganizationppThe most overlap was found in personnel training and the administration of cybersecurity service providersppWhile you might need to run multiple EDRs or parallel vulnerability scanners on the same networks you dont want every branch setting up its own cyber training structures and basically duplicating and overpaying for the same thing something that even GAO agreed withppThe report doesnt provide a figure of what the DOD could save from deduping but it comes at the right time to help Defense uhmmmm Secretary of War Pete Hegseth make a decision when it comes to Pentagon cost cuts The DOD hinted back in May that it was looking to release some of its civilian personnel from its cyber workforceppBut aside from US government optimization efforts the GAO report has its own special importance being the first full review and inventory of US cyber personnel something that many in the cybersecurity and national security space will appreciate readingppThe main Risky Business podcast is now on YouTube with video versions of our recent episodes Below is our latest weekly show with Pat and Adam at the helmppDHS IA leak A DHS office has leaked unclassified data for two months between March to May 2023 The leak occurred due to a misconfiguration in a platform managed by the DHS Office of Intelligence and Analysis IA The Office collects surveillance data to share with other US law enforcement agencies The misconfiguration exposed investigative leads to tens of thousands of users who did not have authorization to view them Additional coverage in the Brennan Center for JusticeppMySonicWall security breach Hackers accessed backups of firewall configuration files stored on the MySonicWall cloud service SonicWall is notifying customers and asking them to reset firewall credentials Less than 5 of SonicWalls firewalls are affected The attacker allegedly used a bruteforce attack to break into the accounts and steal the backup config filesppGrupo Zeta ransomware attack The Mydata ransomware has leaked data from Grupo Zeta one of LATAMs largest distributors of liquefied petroleum gas LPGppSurvival Flight extortion The World Leaks data extortion crew has leaked patient data from Survival Flight a provider of medical air evacuation services The hack took place in July and impacted almost 11000 patients According to DataBreachesnet this is the companys second hack over the past yearppDeepSeek returns flawed code to certain groups The DeepSeek AI engine returns code with security flaws if it determines that the coder is associated with a specific minority group According to the Washington Post programmers from Tibet and Taiwan received code of lower quality DeepSeek also refused requests if queries hinted that the code would be used by the Islamic State or the Falun Gong movementppMastodon rolls out post quotes The Mastodon quote posts feature is now live and rolling outppWasm 3 is out Version 3 of the WebAssembly specification is now live Most of its new features are already supported in all major browsers except Safari which has been lagging behind in almost all new standards for years nowppTails 7 is out The Tor Project has released v70 of the Tails privacycentric operating system The biggest change is a huge speed boost for bootupsppWindows 10 EOL Consumer Reports has joined the increasing list of consumer groups that asked Microsoft to continue supporting Windows 10 past its current EOL of October 14 next monthppServer on a vape Embedded engineer Bogdan Ionescu has managed to host a web server on a disposable vapeppFiverr layoffs Fiverr will fire 250 employees or about a third of its staff as the company adopts AI to replace themppFirefox 143 Mozilla has released Firefox 143 New features and security fixes are included The biggest feature in this release is support for web apps pinned websites directly to the taskbar and running them You can now also preview the webcam before granting a website permission to use it DNSoverHTTP has also arrived in the Firefox for Android version five years after the desktop versionppBrazil passes age verification law Brazil passed a new data protection law The new Digital ECA is similar to the UK Online Safety Act It will require companies to introduce age verification checks to limit childrens access to sexual and violent content It also requires tech companies to introduce parental control systems to let parents limit a childs use of their platform All platforms are banned from using a childs data for targeted advertising Additional coverage in The RecordppAfghanistan bans fiber optic in a region The Taliban government in Afghanistan has banned the installation of new fiber optic cables in the Balkh province to prevent immorality Additional coverage in the APppMoldova establishes disinfo agency The Moldovan government will establish an agency to counter disinformation The new STRATCOM agency will have 29 employees and will start operating within a month First steps to establish the center began in 2023 but it will launch days after Moldova holds its parliamentary elections Additional coverage in MoldpresppICE signs new phonehacking contract US Immigration and Customs Enforcement has signed a new 3 million contract with Magnet Forensics The company merged with Grayshift in 2023 and is the maker of Graykey a tool to forceunlock phones and extract user data ICE also signed a 10 million contract with facial recognition company Clearview AI and reactivated a contract with Israeli spyware and surveillance maker Paragon Solutions Additional coverage in TechCrunchppCongress hearing on online radicalization The US House Oversight and Government Reform Committee will hold a meeting with the CEOs of Discord Steam Twitch and Reddit on the radicalization of online users While youd think this is because of all the rightwing activity on those platforms that has taken place for years and years its not Its because of the recent Charlie Kirk assassinationppExtremist murders by ideology 2013 to 2022 wwwpbumpnetoreassessinppIn this Risky Business sponsor interview Casey Ellis chats with David Cottingham and Daniel Schell from Airlock Digital They discuss the challenge of browser extension management for enterprises why its a priority and how Airlock can helpppUK arrests two Scattered Spider members UK police have arrested two teen members of the Scattered Spider hacking group Thalha Jubair and Owen Flowers were arrested at their home addresses on Tuesday They are 19 and 18 respectively They stand accused of hacking Londons public transportation agency Transport for London last August Jubair was also charged in the US for the hacks of 47 US companies and extorting ransoms of at least 115 millionppSuspect charged in UK political honeytrap scandal A former UK Labour councillor has been charged with blackmail and communications offences related to a UK Parliament honeytrap scandal Oliver Steadman allegedly posed as a woman and sent flirtatious WhatsApp messages and indecent images to 12 individuals including five UK politicians The incident took place in late 2023 and was initially believed to be the work of foreign hackers Steadman was arrested in April 2024 and charged this week He resigned from his position shortly after the arrest Additional coverage in Politico EuropeppAI chatbots abused for scams A Reuters study found that threat actors can easily trick AI chatbots to write phishing emails even if they should normally refuse these types of tasks Tested chatbots included Claude ChatGPT DeepSeek Gemini Grok and Meta AIppM365 hack spike Finlands cybersecurity agency has noted a sudden rise in hacked Microsoft 365 accounts in August The agency received 70 reports last month of hacks that originated from compromised Microsoft 365 accounts August alone accounted for a fifth of all breaches that originated from Microsoft 365 accounts this year 330ppGOLD SALEM profile Sophos has published a profile on GOLD SALEM a suspected Chinese threat actor that is behind the Warlock ransomwareppShinyHunters profile EclecticIQ has published a profile on ShinyHunters and the groups recent shenanigans Its a good summary of all its recent TTPs from vishing to phishing infrastructure According to a different report from ReliaQuest the group is now primarily focused on financial institutionsppComicForm group F6 researchers have spotted a new threat actor ComicForm using mass email campaigns to target companies in Russia Belarus and KazakhstanppGhostAction supply chain incident PyPI says it invalidated all PyPI tokens stolen from GitHub repos by a malicious action on September 5 in a supply chain attack known as GhostAction The PyPI team says none of the tokens were abused to upload malware to their registryppShaiHulud worm reaches 500 packages A supplychain attack that deployed a worm on the npm repository has now reached more than 500 packages The worm has been linked to the same group that carried out a previous npm supplychain attack known as S1ngularity Just like in the previous attack attackers steal access tokens and upload them to public GitHub repositories The worm skips Windows and only runs on macOS and Linux systems Security firm UpGuard has also identified at least 17 major companies impacted the the token theftsppInteresting Ive seen publicly leaked exfild data that are from windows hosts See end of this thread bskyappprofileevilppNew CoinbaseCartel extortion group A new data extortion group named the CoinbaseCartel has been spotted extorting victims this month Its dark web leak site currently lists ten victims including some big names like SK Telecom Desjardins and NTT DatappCountLoader Silent Push has discovered a new malware loader named CountLoader that is currently being used by Russianbased initial access brokers in attacks that later deploy ransomware such as LockBit BlackBasta and QilinppFormbook Security researcher Cormac Conlon has published a technical writeup on FormbookppSilentSync RAT Zscaler has discovered two malicious PyPI packages deploying the new SilentSync RAT The malware can only run on Windows can execute remote commands and has all the infostealing features you wantppSystemBC botnet returns The SystemBC malware botnet has returned to life and is infecting new devices The botnet had servers seized by Europol in May last year According to Lumen the botnet is now targeting virtual private servers instead of home consumers They are renting access to the hacked servers to multiple proxy network operatorsppNew Ivanti device malware CISA has published details about a new backdoor found deployed on hacked Ivanti devices this yearppBlackLock ransomware AhnLab has published a report on the BlackLock ransomware a group that launched in June last year after rebranding from the El Dorado nameppRaven Stealer Point Wild has spotted a new C and Delphibased infostealer advertised under the name of Raven StealerppXillenStealer CyFirma looks at XillenStealer an opensource Pythonbased infostealer available on GitHub A commercial version is also being sold online through a dedicated website Evidence suggests that the malwares creator is a Russian speakerppIn this product demo of the Airlock Digital application control and allowlisting solution Patrick Gray speaks with Airlock Digital cofounders David Cottingham and Daniel SchellppCopyCop infrastructure Recorded Future looks at new infrastructure linked to a Russian influence operation known as CopyCop or Storm1516 This includes 200 new fictional media websites targeting the United States US France and Canada in addition to websites impersonating media brands and political parties and movements in France Canada and ArmeniappKirk disinfo campaigns NewsGuard looks at how China Russia and Iran used the Charlie Kirk assassination to try and divide the US or for their own silly political aims such as trying to link Ukraine or Israel to the gunmanppTA415 abuses VSCode tunnels A Chinese cyberespionage group is abusing the VSCode Remote Tunnel feature to control malware in compromised environments The technique has been used in recent attacks against US think tanks government and academic organizations Proofpoint linked the attacks to a group known as TA415 and APT41ppNew MuddyWater tooling and infrastructure GroupIB has uncovered new infrastructure and malware variants used by the MuddyWater Iranian cyberespionage groupppContagious Interview infrastructure The GitLab security team has identified new infrastructure used to deploy BeaverTail and InvisibleFerret malware linked to North Korean hackersppBcrypt cracking table update SpecOps has updated the bcrypt cracking table times if attackers were using modern GPU cards Insert correct horse battery staple jokeppAzure Entra EoP Dirkjan Mollema has published a writeup on CVE202555241 a vulnerability that can let attackers gain global admin rights over any Azure Entra ID tenant This was patched at the start of the month in an emergency Azure security updateppPureVPN IP leak A software engineer known as Andreas has found two IP leaks in the PureVPN GUI and CLI clients for LinuxppPixie Dust is still exploitable Many current router models are still vulnerable to a 10yearold WiFi attack named Pixie Dust The attack allows threat actors to recover a routers WPS PIN and access its WiFi network A NetRise study of 24 current routers found that 20 were still vulnerableppShadowLeak ChatGPT zeroclick attack Radware researchers have discovered a zeroclick attack that can leak inbox data from a Gmail account that is using ChatGPTs Deep Research email agent just by sending one malicious email to a victims accountppChrome zeroday Google has released a security update to patch an actively exploited Chrome zeroday Tracked as CVE202510585 the zeroday is a vulnerability in Chromes V8 JavaScript engine and was discovered by one of Googles internal security teams It is the sixth Chrome zeroday patched this yearppWatchGuard security update WatchGuard has patched an unauth RCE in its Firebox firewallsppAtlassian security updates Atlassian released five security updates last week part of the companys September Patch Tuesday One of them is a Confluence RCEppJenkins security updates The Jenkins project has published seven security updates for the projects core filesppGitLab security updates GitLab has released security updates to patch six vulnerabilities in its main productppCase Theme User exploitation Threat actors are exploiting a vulnerability in Case Theme User a WordPress plugin bundled with various commercial WordPress themes The vulnerability allows remote attackers to access any account on sites if they know a users email address According to Wordfence the plugin is installed on more than 12000 websites Exploitation began at the end of August and is ongoingppThreattrend reports Akamai Claroty Emsisoft Moonlock PDF NCC Group NordVPN and TIOBE have recently published reports and summaries covering various threats and infosec industry trendsppCompanies pull out of ATTCK evaluations Three major EDR vendors have pulled out of evaluations for the MITRE ATTCK framework The evaluations check if the EDRs detect common TTPs used in the real world by known threat actors SentinelOne and Palo Alto Networks pulled out last week while Microsoft left in June ht Patrick GarrityppNetskope increases IPO Security firm Netskope has raised the price of its IPO from the initial 15share price to 17 Additional coverage in CNBCppNew toolFickling Security firm Trail of Bits has released Fickling a tool to decompile analyze and rewrite Python pickle files a format used by AIML toolsppKazHackStan 2025 streams Live streams from the KazHackStan 2025 security conference which took place this week are available on YouTube The recordings are in RussianppBlack Alps 2024 videos Talks from the Black Alps 2024 security conference which took place last November are available on YouTubeppIn this edition of Seriously Risky Business Tom Uren and Amberleigh Jack talk about why it is good news that US investment in spyware vendors has skyrocketed They also discuss the inprinciple agreement for TikTok to remain in the US Its a winwin a win for China and a win for TikTok but not so much a win for US national securityppIn this edition of Between Two Nerds Tom Uren and The Grugq talk about the limits of a states cyber powerppIn other news FBI seizes Salesforce extortion site new round of CISA layoffs Apple doubles bug bounty rewardsppIn other news Ukraine establishes a Cyber Force CISA workers reassigned to immigration enforcement teenagers arrested for Kido hackppYour weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray Its supported by Lawfare with help from the William and Flora Hewlett Foundation This weeks edition is sponsored by Corelight

You can hear a podcast discussion of thisppIn other news Oracle zeroday used in extortion campaign new MSS front company discovered DPRK hackers have stolen 2 billion this yearpp
Risky Business publishes cybersecurity newsletters and podcasts for security professionals
ppp